Switching to Linux delivers many benefits for users. From a more stable system to a vast selection of good quality open source software, you’re onto a winner. And it won’t cost you a penny!

Another advantage of Linux is the increased degree of security. The Linux desktop is ignored by the majority of malware developers. So in most cases, you should be fine running any Linux operating system you choose.

But if you want an extra degree of security and privacy, you might consider a Linux OS that offers some enhanced features in these areas. Various options are available here, but which one should you choose?

Who Can Benefit from a Secure Operating System?

With many advantages to using a secure operating system, it might not be clear whether you should be using one. Perhaps it seems more suited to someone else. This is probably not the case.

Average computer users in an oppressive or censored environment (home country, city, place of employment or education, even a cyber café!) can certainly benefit. This may or may not mean you, but it probably does mean someone you know.

One of the problems with operating systems is that they remember. If anyone wants to find out what you’ve been up to, it’s a trivial matter to check your logs. Viruses and worms can be installed without your knowledge; they’ll still be there when you reboot.

Everything is stored.

But you can get around this with a live OS called Tails, which will run from a USB stick, SD card, or DVD.

Tails enables you to preserve your privacy and anonymity, which is vital for avoiding online censorship. As such, all internet connections while using Tails are routed via the Tor network. For further privacy and security, state-of-the-art cryptographic tools are employed to encrypt your vital files and communications (i.e., emails, instant messages, etc.).

Currently the only operating system in ongoing development that is run within a VM with Tor, Whonix isn’t just available for Linux. It’s also available for macOS and Windows!

Additionally, Whonix can be run as a virtual machine in VirtualBox. Whichever installation method you choose, you’ll end up with an anonymous operating system protected against DNS leaks and malware. In short, your online activity cannot be accurately observed, and the sites you use will not recognize you as a repeat visitor (unless you’re in the habit of signing up and logging into websites!)

It’s important to note that Whonix is not available as a typical Linux OS that you can download and install. It can be installed as an application on Windows, macOS and Linux, or deployed as a virtual appliance in VirtualBox.

Offering protection against Trojan-based surveillance, Discreete Linux provides you with an isolated working environment that spyware cannot access. As such, your data is protected against surveillance, and it can be stored securely.

Note that “Discreete” is not a typo. Rather, it is a cross of the two spellings and meanings of “discrete” and “discreet”. As befits such a name, it might not surprise you to learn that Discreete Linux began life as Ubuntu Privacy Remix back in 2008.

In a theoretical sense, Discreete Linux secures your system by preventing access, and blocking malware from spreading. Once running, various conditions are set; for instance, ATA hard disk drives will be blocked from running (data can be accessed via the cloud).

Describing itself as “a reasonably secure operating system”, Qubes OS has a wealth of strong reviews and endorsements, which we’ll come to in a moment.

Qubes OS offers a secure computing environment not by simply diverting web traffic via a dedicated proxy, but by using virtualization. Running on the Xen bare metal hypervisor (essentially virtual machine software that runs without a full operating system), Qubes OS provides you with multiple virtual machines that run seamlessly as a desktop.

The result is that programs of different types are grouped by virtual machine (Qubes), with window border colors giving an indication of the trust level of that VM. For example, an app with no requirement for internet connectivity would be more trustworthy than, say, your web browser. Qubes OS even isolates vulnerable components like network cards in their own hardware Qubes.

Qubes OS also supports copy and paste between the discrete VMs, with data carried via a secure file transfer system.

Still not convinced? Well, Edward Snowden himself tweets:

If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better. https://t.co/FyX5NX47cS

What’s Your Secure Linux Distro?

Other secure Linux operating systems are available, but we reckon those listed here are the best. Of course, we could be wrong, so tell us in the comments. Also, we’d love to hear from you to find out which secure Linux OS you’re currently running!

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Scott Rott

September 29, 2017 at 6:09 am

I rely on my personal built upon Tails, while hiding from Russian-connected private spy services. But believe me, please - because you are the most Westerns and you have not a clue to even imagine, what is A Real Evil in the face of the Today's Private, Fully Functional and Alive Structures of KGB and GRU in EVERY post-communist country like mine, in order to handle finally that simple fact, that's written below especially for the new, but brilliantly professional MakeUseOf.com Editorials, and for every average+ intelligent human reading it:

If NSA has it's PRISM program for mass-surveillance - information that had blasted over the globe from the "once upon a time" KGB Officer Vladimir Putin's CURRENT pet and asset (don't be stupid!), Eduard Snowden - who, believe me, had been fully aware of the Russian Federation's criminal cyber mass-terrorism, which brings to the Private, Alive KGB Elite Billions in stolen money by the so called "Organized Cyber Crime" mainly from U.S. citizens (on at least %80+) - and U.S. Banks! You should have no doubt that Eduard has been absolutely for sure informed of these - believe me - decades old Russian Federation's mass-criminal robbery activities, targeted mainly over USA, seriously - enough far before they have been decided to initiated him in their PRISM program!...
And what this greedy moral invalid actually did? ? Knowing about the Russian immense wealth of stolen Trillions - the most from all post-communist satellites of USSR - he did what? From a paycheck relying NSA lower-ranked agent, waking up at 5am to serve the Nation from 6am every day, this moral invalid now is living better than undoubtedly the most of aqathe "set-up" by KGB Russian Fasade Oligarchs - but with all the privileges that the para-official-power of KGB over Russia and Putin could give him, in his status of the most productive influential Russian PR and Antiamricansm's psychological weapon, that still gives influential Desiformation interviews with already old-school KGB trained angel face of an calm honest hero against the evil American National Security Agency, that don't care neither for the drugs in Dark Markets - I just know - neither even for the AK-47 trade in there!!!
ARE GETTING THE IDEA OR AT LEAST SOME BASIC UNDERSTANDING, WHAT IS EDUARD SNOWDEN, AND MORE IMPORTANTLY, DID RONALD REIGN HAD GONE TO FAR, OR WAS NOT QUITE SERIOUS, WHEN CALL THE PAST RUSSIAN FASADE-COMMUNISM EMPIRE: "EMPIRE OF THE EVIL"???

NSA, at the times of the sh*t's cash out to Russia treason, hadn't interest than other, accept for Islamic terrorism stuff, that could be dealing in the Dark Nets. PRISM even weren't interested in child pornography, you victims of the Russian Disinformation Global Machine. PRISM is still about National and all the Western Civilization's NATO aliases Security Agency. DEA and FBI's job are the drug-dealing through the Multileveal "Dark" Webs through Tor, where you could order even an AK-47, but overall it's all for kids and small rats, not for real criminals...

OK, Qubes OS is worthy, even that it's hardly to be blind for these thousands of spy bridges and relays today in the Tor. It'll become the same with I2P.
Anonymity for the end-user through the Net is a myth! And if there are still Dark Markets, that is because they all are selling less than in a single Amsterdam's Neibourhood through the Summertime?

I dunno. I'm surmising author is not native English speaker and that country of residence is former Soviet Union probably now Russia. Whereas I may not agree on all elements as written, I certainly believe the perspective of people once, perhaps still, caught in that former Soviet labrynth of Orwellian intent, may be somewhat appropriately portrayed in his harbinger of cyber survellience and misuse.

I appreciate your article. Don't understand some people having continuous problems with Linux. I found after looking at various distributions that Linux Mint with Mate suited the way my brain works. My wife and I both use it our computers without problems. Have used Tails while travelling and other computers.

The open source community would very quickly find that an operating system was compromised because in open source software all code is available to be scrutinised,unlike closed source software such as Microsoft and Apple.

That is a mere assertion, not a proof. Name exactly when, where and who revealed problems and patched them, please. That would be interesting, how many of this "open source community" are checking millions lines of code of a few hunreds distros and software, too. Open source software is not patched for years. Linux Mint offers security updates for the kernel, but defines it as 5 in the update manager, í. e. you might kill your OS. As you know a lot about the "open source community" I assume you are are part-how are you examining mentioned codes, if at all? Linux is by far not so secure, as it is everywhere advertised.

You can ask the same question about Windows patches:"exactly when, where and who revealed problems and patched them".
I guess you can contact The Linux Foundation or Linus Torvalds if you really need to know.
Or you could peruse the official Linux git repository.

Dc

January 27, 2017 at 1:38 pm

Now is the time for more True American Youth to be supported by the feds instead of foreigners in
High tech education and develop the best, " MADE IN AMERICA" tamper proof and new skilled language
outside of the IBM Microsoft apple monopolies! It is a new Trumponian era!

I had shifted to Linux because i felt that windows is not secure but i had a lot of problems with linux. i tried Linux mint and had problems, it was difficult to use network printer, sorted it out but still could not scan documents on my scanner,printer and copier. then one day my gard disk crashed. got a new hard disk and installed ubuntu. now i am not able to use neither my printer nor my scanner, the bluetooth does not recognise any nearby device. a recent problem is that the laptop battery wont charge when in use. i am an average user who is paranoid about security and i do not have time to endlessly trying to configure my system so i am going back to windows but i am still not very comfortable with its porous privacy and security. can i use TAILS or LPS on a windows laptop. really appreciate your article and will be thankful if you could give some tips.

use Qubes, its the best and easiest to understand with millions of tutorials. Useing wondows with a Vm Virtualbox is not safe at all as it is super easy for any federal corporation to see exacly wjat ur dping on the screen even if u use a linux based VM on it.

Maybe it's just my system in particular but almost EVERY DAY I have to go and re-install what ever Linux distro I'm using.
Makes me sick
I have had good luck with running LIVE distros on a stick but when I install it to hard drive within 24 hours its time to re-install.
The scumbags are EVERYWHERE and that's no joke.
And it does NOT help that the router I log into is run by a paying computer illiterate that could care less about being secure.
Truth of the matter is there are two types of people in the world. The smart and the stupid. And the stupid are making stupidity reproduce CONSTANTLY like its life and death or something. STUPID PEOPLE ARE WINNING THE WAR ON IGNORANCE and are bringing about the doom of human life. Next time you want to go out and get laid think about responsible fatherhood and the potential to have an IDIOT FUNBOY TOOL running around. Great thing to sacrifice your bachelorhood and freedom for ---AIN'T IT ?

Ok, nice discussion but i can confirm Sagar Gorijala i have the last 6 years much more linux distro tested such as Ubuntu, Fedora, openSUSE, Debian, CENTOS and many more but openSUSE was the only one that i accepted, its stable, have a good performance and in combination with SELinux secure, i use openSUSE Linux ( and the SLE Server 12 ) in a highperformance Supercomputing Environment, no viruses, no malware nothing. I like it.

I just want to say that I have indeed been hit in Ubuntu, three virus's found by clam, and several attacks on my external hard drive. I was in microwave countermeasure systems which is highly classified but am long since retired. It's not always paranoia.

I believe Sparkylinux is the best linux distro for an average user who owns a low spec computer. Can you please make a review on the amazing Sparkylinux. I used more than 15 linux distributions and found only OpenSUSE and Sparkylinux to be error free. And, Sparkylinux is faster and more responsive than OpenSUSE. Though it's true that both of them are very stable linux distros. OpenSUSE needs more RAM and Sparkylinux comes with various minimal RAM usage distro versions and LXDE in Sparkylinux is error free and LXDE in Sparkylinux is far better than LXDE in other Linux distros. Sparkylinux is worth a mention and it's also worth your valuable time. So please make a detailed review on Sparkylinux. Unfortunately Sparkylinux is unknown to ignorant masses and I was one of them and, it's true that failure caused by other distros make Sparkylinux more beautiful. If other distros didn't fail for an ignorant average user like me, I would have never realized how beautiful Sparkylinux is and how amazing Sparkylinux tiny specialized apps are. Thanks.

NSA sez New SELinux code is no longer released on this site. SELinux is included in a number of Linux distributions. You can also find the SELinux source code at the following external links.
SELinux kernel code is included in the mainline Linux 2.6 kernel,
available from http://www.kernel.org/
NSA seems to be saying it's already out there and included in present day releases.

And isn't the kernel core code in all late windows versions straight from linux w/microsoft tweaks added on?
Hafta agree with John on data saves

Windows absolutely does *not* use Linux (with or without "Microsoft tweaks") whatsoever. The Windows kernel is a completely different closed-source project which is about as far away from Linux as possible. Sorry, but you're incorrect.

"Windows absolutely does *not* use Linux (with or without “Microsoft tweaks”) whatsoever. The Windows kernel is a completely different closed-source project which is about as far away from Linux as possible."
Since Windows is proprietary and closed-source, very few people really know what is contained in the source. So the source can contain a lot of code "borrowed" from other O/Ss, especially the open-source ones like Linux and BSD. All we know for sure is that Windows does not contain any Linux/BSD security code.

---> This distribution is maintained by the US Air Force, and is as far as I know the only distribution coming from the American government.

Not so. It is not the only Linux distribution available from the U.S. government and is not even the most secure. That title belongs to NSA Linux, available from NSA (the No Such Agency) at http://www.nsa.gov/research/selinux/

"SELinux is included in a number of Linux distributions."http://www.nsa.gov/research/selinux/code/download1.shtml
You should be able to get the last version from their archive here.
Even though it's no longer maintained, you can still download it. It's probably been added to the Linux kernel, though, since it's so secure.

I use Mint but have added noscript, adblock, flashblock, and HTTPS Everywhere to my Firefox. Also, I set it's temp directory to be in RAM and made that folder noexecute. I added PGP support to Thunderbird and I added Clam AV. I have TOR too. In 20 years of computing and 19 on the Internet, I have never had a virus or any malware. Only the paranoid survive!

@Joe P
would you please mind to write a short tuto about those tricks? i am getting inclined to linux day by day, would love to know how to do those steps. just running a bunch of commands in the terminal, i guess. but i need the commands!

I agree... those are some good tricks, especially putting temp in RAM, which I would love to know the trick to doing. I just started using Mint and like it more than Ubuntu. If you don't mind sharing... you will have my prayers and gratitude.

Check out SELinux. It is also a U.S. Government OS created platform. It was developed by the National Security Agency for research purposes. I read somewhere that to date, that OS has never had a virus, or being hacked into. Probably because the OS is so rare as opposed to it being uncrackable.

Hm... That is interesting! I downloaded this several months ago and have a copy on CD. But I had a look again after your comment and couldn't find it anywhere. It doesn't appear to be on its home page, the NSA has stopped distributing it and mirror websites such as SourceForge don't have it anymore. Well... All I can say is that it has to be available from somewhere. Once on the internet, it stays as they say. I'd assume it would be available as a torrent. But it is hard to tell which ones are legit and what ones are loaded with viruses.

I would love to see a laptop, for example, shipped with the OS on an microSD or SD card with a non-writable tab (flip tab = no write functions possible). You would flip tab to tweak system, install new apps, etc... Once done, write-protect and reboot. OS runs in RAM (with read access to SD card) and the hard drive is used only as a data drive (no boot sector) for your docs, media, etc... (accessible by other micro/SD cards holding alternative OSes). I might be the only one who likes this idea:-)

Another paranoid option is running OSes in a Virtual Environment. While an OS might be particularly susceptible to intrusion, recovery is often easier because of the sandboxing aspect. Data access between the Virtual OS and the Real OS can sometimes be a problem though.

For common users, the most important thing is their data. It isn't the OS, the applications (especially if you're using non-proprietary data formats) or even a manufacturer of hardware - it's making sure your data is backed up so that you can access it with any OS or device.

I like your plan for the laptop, I would personally use one computer for private offline use for keeping my files and my data and doing things like writing or using cad for instance that do not require internet. And another one for online internet use. I thought up that booting from a readonly DVD live os in a bleuray readonly drive ( no burner) is best and fastest since a blueray drive is faster in transferring data than a DVD drive. Also why readonly ? Because although you cannot really add data once a disk is finalized, but you can if you really want to, force a disk to turn on the burn laser and destroy a disk. And indeed let the system run in ram with maybe 32 Gb ram as minimum, and occasionally put in a cd or DVD in a burner readonly no rw, that is safest. Sad to say that I have to use a USB hard drive sometimes to transfer large files or many small ones. I think I am going to use this setup. Maybe I can use Windows again in my offline computer. Although I might have to desolder my mike and speaker from the motherboards since there seems to be the possibility of an ultrasound data connection between the motherboard of the online and offline computer. NSA is always a bit to curious about what people do with offline computers. Well once on this road you might as well install a power grid filter on the offline computer power supply to make sure no data escapes through a built in power grid network thingy, these are for sale as separate devices but can surely be build in. Oh and maybe also a separate groundpin that goes toward groundlevel in the backyard to make sure the whole computer cabinet ain't acting like a transmitter. Think I am paranoid ? I am way not paranoid enough to work for a computer security dept.

Have always wondered why now the os HD isn't electrically write pretectable. Back in Tandy days, external HDS had write protect switch on front panel which controlled the wp line on HD interface connector.

Wp, load ram, do whatever. Any changes were made to os image in ram, and power off wipes ram clean.

Maybe a lot like fresh install from CD every time you boot, only lightning fast, and never a hack, never maleware in your os.

That is exactly what they are doing! It's not like they can't pull your IP at anytime they want or something far easier than convincing people to install a custom Linux distro. But just to be safe stay away from this, they'll be watching...

Danny Stieben

July 4, 2012 at 3:15 pm

Hahaha, if you guys insist...

Bruce Epper

July 7, 2012 at 2:34 am

You also need to remember that this was created for the Air Force road warriors usage as well. Do you really think they would compromise the system they want their laptop users to utilize while on the road? Really, think about it.

They probably have a secret memo they give to all the Air Force personnel who have high security clearance which tells them how to disable the built in spyware in their OS which tracks what the users are doing. I can't prove they infact include spyware, but it wouldn't surprise me. The advantages of including their own spyware in their OS is they can track their citizens or even their enemies if they think the same way you guys do "its US Army, it must be secure!", but also they can spy on their own soldiers to ensure none of them are spies or planning to leak sensitive internal information they may or may not be cleared to access.

And since it is used on laptops, any spyware on it could prove to be of use to anyone who manages to steal it. Would you set up something like this for your use or for your family members?

the "its US Army, it must be secure!" comment is way off the mark as well. I never made that claim at all. No system will ever be completely secure unless it is never used. And we were referring to an Air Force product anyway, not Army.

Then all they need is someone who forgets to disable your alleged spyware while accessing classified systems remotely (needed document for briefing POTUS).

Your comments just bring up even more doubts that they would bastardize a system in such a manner.

RedScourge

July 15, 2012 at 6:53 am

"And since it is used on laptops, any spyware on it could prove to be of use to anyone who manages to steal it."

True of all spyware, but immaterial.

"I never made that claim at all."

No, you didn't, but many do and I just wanted to point it out so people don't fall into that trap. Sorry also for interchanging Air Force for Army.

"Then all they need is someone who forgets to disable your alleged spyware"

For that to be true, both this and your claim that someone else could hijack it would have to BOTH be the case simultaneously, which is exceedingly unlikely. They'd be using the spyware for its intended purpose, notice that too high level of documents were accessed on a computer with the spyware installed, and I specifically had mentioned that sort of thing earlier. It's a possible downfall but everything is risk management.

The other thing to consider is that even if I'm wrong and this is a stupid thing to do, the government is pretty stupid quite often, so they might just do it anyway.

Yo yoyo

April 5, 2015 at 3:41 pm

Like letting the sheep watch he lettuce. Is secure for them. But they have the codes just in case there is a snowden present.

You're right about security by obscurity. Systems become even more susceptible with additional programs running. There was even the hack into Google's Systems because at least a one person was running IE6.

Not sure what you meant about Mac virus and a month ago. Here's a timeline of Mac OS viruses as early as 2004:

Totally agree with you Danny. Root access is key to compromising a Linux system unlike the swiss cheese like security of a Windows system. Jason, who said Mac doesn't get viruses? Apple thats who, why would they say that? Because they just want to sell computers. Anything can be cracked or hacked given enough knowledge and time.

Exactly. Mac OS X is still better (IMO) than Windows, but Linux is overall the best.

Bruce Epper

July 7, 2012 at 2:33 am

OpenBSD is probably still the best option for a secure OS.

Dominic

July 2, 2012 at 6:59 pm

He did. "Just be aware that there is a difference between security distributions and secure distributions. Backtrack Linux is an example of a security distribution while the ones I mentioned above are secure distributions."

This article was about secure distributions not security distributions.

If I did cover Backtrack, it would simply merge into the same category as my last point, as Backtrack then wouldn't have any extra advantages over say Ubuntu because it's a security distro and not a specifically secure distro.

Christian Cawley is a Deputy Editor at MakeUseOf, covering security, Linux, DIY and programming, with extensive experience in desktop and software support. Christian is a regular contributor to Linux User & Developer magazine, as well as specials including Raspberry Pi for Beginners, and Raspberry Pi for Kids. He's a Raspberry…